Privacy Policies & Information

Arranging Testing for Coronavirus: Privacy Information

Published 30th April 2020

Introduction

You have been invited to arrange a booking to undertake a coronavirus virus test because you or someone in your household is an eligible critical worker and is currently following government guidelines on self-isolation.      

The test will confirm whether you currently have coronavirus. The result of the test will enable you or the key worker(s) in your household to know whether to continue to self-isolate or whether it is safe to return to work.

Tests are completely voluntary, and you do not have to take it. If you do decide to take a test, then you need to follow the instructions provided at the regional test site. 

Once you have taken the test, your sample will be analysed in a laboratory, and you will be informed of the result (positive, negative or inconclusive) by text and/or email. You will be given advice on any next steps that need to be taken following your result.

Your test result will also be sent to a central database, along with other information relating to coronavirus, to enable organisations to respond to coronavirus.  This database is held by NHSX and controlled by NHS England.  All information in this database is held securely, and access to this information is tightly governed, in line with Data Protection requirements. Details of your test result are not provided to the CCG or your employer.

Data Controller

NHS Surrey Heartlands Clinical Commissioning Group, on behalf of the Surrey Resilience Forum, have commissioned the Trustwide system for arranging testing within Surrey.  The CCG is therefore the Data Controller of the data entered on to the test booking system for the purposes of Data Protection legislation. The CCG decides what information is required and how it needs to be used.

The Department of Health and Social Care (DHSC) has commissioned the virus testing programme on behalf of the UK and is the Data Controller of the data used during the testing and gathered from this – you should therefore also read the Privacy Notice they provide for the testing programme on the GOV.UK website at link.  

Other organisations will also support the process of arranging tests but can only act on instructions provided to them by the CCG. These organisations are known as Data Processors.

What personal data we collect

The details we need from you to arrange testing are:

  • First and last name
  • Staff Number
  • Email address
  • Phone number
  • Vehicle registration number
  • Name of other household member (where test is for another person in the household)
How we use your information to arrange testing

Your details will be captured in a database.  A member of the central team will then make contact with you to book your appointment at a testing site.  Your details will then be passed to the team running the testing site, so they can take forward the testing process commissioned by the DHSC.   

We may also provide your details to your employing organisation, so they can monitor which staff have arranged for testing and follow up with them as necessary.

Purposes your information will be used for

NHS Surrey Heartlands CCG is the Data Controller for the following health and care related purposes:

  • Gathering data required for arranging testing
  • Booking the appointment to the regional test site
Data Processors and other recipients of your data

Organisations who use your data and information on behalf of a Data Controller can only do so with clear instructions from them. They cannot use your data and information for any other purpose.

Any use of information that is not covered by the instructions from the Data Controller would be unlawful, unless the Data Controller agrees and provides written permission to do this.

The CCG have appointed Data Processors, as indicated below, to carry out these activities:

  • Supplier of the Trustwide system used to gathering data required to arrange testing – C&C Technology and Consulting Limited
  • Contacting you to book your appointment for testing – Surrey County Council

Other recipients of your data may include: 

  • Your employer
  • The Department of Health and Social Care (DHSC)
  • Organisations that manage the testing sites on behalf of DHSC (see link)
  • NHS England
Your information used for other purposes

Your information may also be used for different purposes that are not directly related to your health and care. These include:

  • Prioritisation of bookings for testing
  • Monitoring uptake of testing within Surrey
  • Providing data to employing organisations on levels of staff testing
  • Planning of services or actions in response to coronavirus

Information provided by you, and collected about you, in relation to testing for coronavirus will not be used for any purpose that is not linked to coronavirus.

Wherever possible, information that does not directly identify you will be used for these purposes, but there may be times when it is necessary for your personal data to be used.

Any releases of information that identify you will be lawful and the minimum necessary for that purpose.

The CCG is required under law by DHSC and NHS England to collect, analyse and share information and data relating to coronavirus, when this information is requested by them.  DHSC and NHS England may give this information to other health and care organisations responding to coronavirus.

Legal basis

The CCG’s legal basis for processing your personal data is:

  • GDPR Article 6(1)(e) – the processing is necessary for the performance of its official tasks carried out in the public interest in providing and managing a health service
  • GDPR Article 9(2)(h) – the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system
  • Data Protection Act 2018 – Schedule 1, Part 1, (2) (2) (f) – Health or social care purposes

Other organisations involved in processing your data will be doing so either with an agreement in place with the CCG to provide that service, or with a legal basis of their own (such as DHSC / NHS England).

Your rights under Data Protection Act 2018 and GDPR

By law, you have a number of rights as a data subject, such as the right to access information held about you.

This testing programme does not take away or reduce these rights, so you can still request (for example), from the organisations named in this notice, copies of the information they hold about you.

If you are unhappy or wish to complain about how your information is used as part of this programme, you should contact the CCG in the first instance to resolve your issue. 

If you are still not satisfied, you can complain to the Information Commissioners Office.

Retention and storage of your information

Your information will be stored in line with the Records Management Code of Practice for Health and Social Care 2016. This means we will keep your information for up to 8 years before we dispose of it.

Information that identifies you will be stored securely, and processed in, the UK.

Information that does not, and cannot, identify you may be stored and processed outside of the UK. For example, information purely about the number of tests conducted, or the number of outcomes from tests.

Data Protection Officer

The Data Protection Officer for the CCG is Daniel Lo Russo

Email: gwccg.informationgovernance@nhs.net  

Coronavirus Antibody Testing: Privacy Information

Published June 2020

Introduction

An antibody test can tell someone whether they have had the virus that causes Covid-19 in the past, by analysing a blood sample.  A positive antibody test demonstrates that someone has developed antibodies to the virus. The presence of antibodies signals that the body has staged an immune response to the virus.

Covid-19 is a new disease, and our understanding of the body’s immune response to it is limited. We do not know, for example, how long an antibody response lasts, nor whether having antibodies means you can’t transmit the virus to others. Our understanding of the virus will grow as new scientific evidence and studies emerge.

How your data will be used

We will use the data you supply to arrange for you to receive antibody test at one of our testing sites.  The results of your test will be communicated to you and your employer. The results will not go on the employment record.  However, your GP Practice will be able to access the result should these be required by them for your care and treatment.  

Data gathered during the antibody testing programme will also be securely transferred to a central database which is held and controlled by NHS England.  All information in this database is held securely, and access to this information is tightly governed, in line with Data Protection requirements.  

The anonymised results from the testing programme will be used to undertake research which will provide information on the prevalence of COVID-19 in different regions of the country and help us better understand how the disease spreads. 

Data Controller

NHS Surrey Heartlands Clinical Commissioning Group, on behalf of the Surrey Resilience Forum, have commissioned the Trustwide system for undertaking the antibody testing programme within Surrey.  The CCG is therefore the Data Controller of the data gathered during the antibody testing programme for the purposes of Data Protection legislation. The CCG decides what information is required and how it needs to be used.

NHS England are the Data Controller for data gathered during the antibody testing programme once it has been transferred to them by the CCG for the purposes of undertaking national research. 

Other organisations will also support the delivery of the antibody testing programme and the related research but can only act on instructions provided to them by the CCG or NHS England. These organisations are known as Data Processors.

What personal data we collect

The details we need from you to arrange testing and for the research are:

  • First and last name
  • Date of Birth
  • NHS Number
  • Email address
  • Phone number
  • Occupation
  • Service / Team
  • Work Location
  • Gender
  • Ethnicity
  • Previous Covid-19 infection results
  • Health data (including the results of your tests and whether you are suffering from certain symptoms)

Purposes your information will be used for

Your data will be used for the following purposes:

  • Arranging for you to receive antibody testing
  • National and local research which will provide information on the prevalence of COVID-19 in different regions of the country and help us better understand how the disease spreads

What types of information we use

To allow us to undertake the activities above we will use different types of information, this includes: 

  • Identifiable Personal Data
    • Personal Data (for example your name, contact details, or date of birth)
    • Special Categories of Personal Data (which includes data relating to ethnicity and data relating to physical health)
  • Non-Identifiable Personal Data – this includes ‘Pseudonymised Personal Data’ where personal data which could be used to identify you has been replaced with a pseudonym.

The data used for research will always be pseudonymised prior to sharing with NHS England.

Data Processors and other recipients of your data

Organisations who use your data and information on behalf of a Data Controller can only do so with clear instructions from them. They cannot use your data and information for any other purpose.

Any use of information that is not covered by the instructions from the Data Controller would be unlawful, unless the Data Controller agrees and provides written permission to do this.

The CCG have appointed Data Processors, as indicated below, to carry out these activities:

  • Supplier of the Trustwide system used to gathering data required to arrange testing – C&C Technology and Consulting Limited
  • Organisations involved in delivery of the Berkshire and Surrey Pathology Service, which will provide laboratories for the antibody testing 

Other recipients of your data may include: 

  • Your employer
  • The Department of Health and Social Care (DHSC)
  • NHS England
  • Organisations that undertake pseudonymisation of data on behalf of the CCG or NHS England

Legal basis

For processing data for testing and re-identification (if required to be sent to GP practices for direct care), the lawful basis under GDPR will be:

  • GDPR Article 6(1)(e)

the processing is necessary for the performance of    a task carried out in the public interest or in the exercise of official authority vested in the controller”

  • GDPR Article 9(2)(h)

“the processing is necessary for the provision of    medical or social care or treatment” is also met. 

 

The CCG’s official authority arises from the NHS Act 2006, Health & Social Care Act 2012, the Civil Contingencies Act, and the Coronavirus Act 2020. The lawful basis will apply to authorised processors of the CCG.  

Common Law Duty of Confidentiality expects that a duty of confidence is applied and that information should not be disclosed without the data subjects consent.

Research Data

The Secretary of State for Health and Social Care has issued a general notice under the Health Service Control of Patient Information Regulations 2002 (CPOI) to support the response to COVID-19. The notice requires NHS Trusts, Local Authorities and others to process confidential patient information (CPI) without consent for COVID-19 public health, surveillance and research purposes. The notice is currently in force until 30 September 2020 and provides a temporary legal basis to avoid a breach of confidentiality for COVID-19 purposes. At the time of expiry of the COPI notice, NHSE will apply for section 251 under the NHS Act 2006, for this activity.

 

The Health Research Authority (HRA) recommends that research organisations that are public authorities rely on public interest (Article 6(1)(e)) as their legal basis. Explicit consent under the GDPR is not necessary for health and care research.

Even though consent is not the legal basis for processing personal data for research, the common law duty of confidentiality is not changing, so consent is still needed for people outside the care team to access and use confidential patient information for research.

Other organisations involved in processing your data will be doing so either with an agreement in place with the CCG or DHSC / NHS England.

Your rights under Data Protection Act 2018 and GDPR

By law, you have a number of rights as a data subject, such as the right to access information held about you.

This testing programme does not take away or reduce these rights, so you can still request (for example), from the organisations named in this notice, copies of the information they hold about you.

If you are unhappy or wish to complain about how your information is used as part of this programme, you should contact the CCG in the first instance to resolve your issue – please see our website for further information on how to do this.     

However you are entitled to also contact the Information Commissioner’s Office (ICO) if you have concerns about the way your information has been used and you can find their contact them by: 

  • Visiting their website: ico.org.uk
  • Telephoning them on 0303 123 1113

Retention and storage of your information

The CCG holds records containing personal data for a limited amount of time and then securely destroys these when they are no longer required.  The CCG will ensure that records are held in accordance with the guidance and retention schedules included within the 2016 Records Management Code of Practice for Health and Social Care.  Please see our Records Management Policy for further information. 

This means we will keep your personal information for up to 8 years before we dispose of it.

Information that identifies you will be stored securely, and processed in, the UK. Information that does not, and cannot, identify you may be stored and processed outside of the UK. For example, information purely about the number of tests conducted, or the number of outcomes from tests.

Data Protection Officer

Under data protection legislation the CCG is required to have a Data Protection Officer (DPO) and it is their role to:

  • Inform and advise the organisation and its employees about their obligations to comply with applicable data protection legislation;
  • Support and monitor compliance with applicable data protection legislation;

Be the first point of contact for individuals whose data is being processed.

The Data Protection Officer for the CCG is Daniel Lo Russo

Email: gwccg.informationgovernance@nhs.net  

Changes

 

We will review the information contained within this notice regularly and update it as required. We therefore recommend that you check this webpage regularly to remain informed about the way in which we use your data.

This version was last updated by the Deputy DPO on the 16 June 2020.